No 'default' route in outgoing load balance
-
I'm trying to setup a dual-WAN outgoing load balance on pfSense 1.0.1. I've attempted to follow the instructions from the wiki, by doing the following:
- Assigned and configured LAN, WAN, and OPT1 (WAN2). On my WAN's, I have no issues pinging my gateways for each interface
- Created a new 'gateway' pool under Services -> Load Balancer, listing each WAN's gateway in the IP list (eg: WAN2's IP is 61.17.126.74/24, so I added 61.17.126.1 to the IP list)
- Changed the default LAN outgoing rule under Firewall -> Rules -> LAN from 'default' to 'wan_balance' (the name assigned to my pool in previous step)
- From the command prompt on the pfSense box, I can not ping or connect to any host not explicitly listed in the routing table. I can ping each WAN's gateway fine, but nothing past that. My
netstat -rnlists no 'default' gateway. If i manually add a default gateway as one of my WAN's gateways, everything flows fine over that one connection. - If I reboot (to flush changes I manually made to the routing table via
route), and try altering the LAN outgoing rule from 'wan_balance' to my OPT1 connection, no traffic will flow, as there is no default gateway rule present.
I've reset the configuration and resetup from scratch several times with the same results. Most of my configuration I've had to do by not having the main WAN plugged in (so to not completely disable my office during testing), but when doing this I've altered my load balance pool to only contain the OPT1 connection, and if I'm overriding the default outgoing rule to only concern the OPT1 interface (either directly or via the load balancer pool), I can't imagine that the lack of a WAN would make a difference.
-
Here's my entire config XML incase that helps (in current form with only the OPT1 in the load balancer pool, as to not completely disable my office network when testing):
<pfsense><version>2.3</version> <lastchange><theme>metallic</theme> <system><optimization>normal</optimization> <hostname>pfSense</hostname> <domain>example.com</domain> <dnsallowoverride><username>admin</username> <password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password> <timezone>America/Chicago</timezone> <time-update-interval>300</time-update-interval> <timeservers>pool.ntp.org</timeservers> <webgui><protocol>http</protocol> <certificate><private-key></private-key></certificate></webgui> <disablenatreflection>yes</disablenatreflection> <dnsserver>10.10.10.15</dnsserver> <dnsserver><enablesshd>yes</enablesshd> <maximumstates></maximumstates></dnsserver></dnsallowoverride></system> <interfaces><lan><if>rl0</if> <ipaddr>10.10.10.2</ipaddr> <subnet>24</subnet> <media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> <wan><if>rl1</if> <mtu><ipaddr>64.16.187</ipaddr> <subnet>29</subnet> <gateway>64.16.187.54</gateway> <blockpriv>on</blockpriv> <disableftpproxy><dhcphostname><media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype> <spoofmac></spoofmac></mediaopt></media></dhcphostname></disableftpproxy></mtu></wan> <opt1><if>rl2</if> <descr>WAN2Speakeasy</descr> <bridge><enable><ipaddr>69.17.126.74</ipaddr> <subnet>24</subnet> <gateway>69.17.126.1</gateway> <spoofmac></spoofmac></enable></bridge></opt1> <opt2><if>rl3</if> <descr>OPT2</descr></opt2></interfaces> <staticroutes><pppoe><username><password></password></username></pppoe> <pptp><username><password><local></local></password></username></pptp> <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond> <dyndns><type>dyndns</type> <username><password></password></username></dyndns> <dhcpd><lan><range><from>10.10.10.10</from> <to>10.10.10.245</to></range></lan></dhcpd> <pptpd><mode><redir><localip></localip></redir></mode></pptpd> <ovpn><dnsmasq><enable></enable></dnsmasq> <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> <diag><ipv6nat></ipv6nat></diag> <syslog><nat><ipsecpassthru><advancedoutbound><rule><source> <network>10.10.10.0/24</network> <sourceport><descr>Auto created rule for LAN</descr> <target><interface>wan</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <rule><source> <network>10.10.10.0/24</network> <sourceport><descr>Auto created rule for LAN</descr> <target><interface>opt1</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <enable></enable></advancedoutbound></ipsecpassthru></nat> <filter><rule><type>pass</type> <interface>opt1</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> <source> <network>lan</network> <destination><any></any></destination></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <network>lan</network> <destination><any></any></destination> <descr>Default LAN -> any</descr> <gateway>wan_balance</gateway></os></statetimeout></max-src-states></max-src-nodes></rule></filter> <ipsec><preferredoldsa></preferredoldsa></ipsec> <aliases><proxyarp><wol><installedpackages><revision><description>/system_advanced.php made unknown change</description> <time>1162530457</time></revision> <load_balancer><lbpool><type>gateway</type> <monitorip><name>wan_balance</name> <desc>Balaner from LAN to Nuvox/Speakeasy</desc> <port><servers>69.17.126.1|69.17.126.1</servers></port></monitorip></lbpool></load_balancer></installedpackages></wol></proxyarp></aliases></syslog></ovpn></staticroutes></lastchange></pfsense> #and my IPv4 netstat -rn
Internet: Destination Gateway Flags Refs Use Netif Expire 10.10.10/24 link#1 UC 0 0 rl0 10.10.10.15 00:12:3f:d2:d3:4a UHLW 1 11 rl0 1197 10.10.10.160 00:0a:95:af:82:7e UHLW 1 333 rl0 933 64.16.0.184/29 link#2 UC 0 0 rl1 69.17.126/24 link#3 UC 0 0 rl2 69.17.126.1 00:90:1a:41:04:37 UHLW 1 297 rl2 1172 127.0.0.1 127.0.0.1 UH 0 0 lo0 -
Loadbalancing has nothing to do with static routes or default gateways from the systems routingtable. Do you test from behind the pfSense? the ppfSense itself can't utilize loadbalancing/policybasedrouting. Only connections running through the pfSense can be balanced.
-
I don't quite follow what you did, but what the heck happened to your default route?!?!?!
–Bill
-
Just for the linux ppl, FreeBSD only has ONE default route (as of todays date) and we manipulate the routing table with PF. Which also means the firewall itself is unaffected by this policy.
Now back to your regular scheduled thread.
-
Loadbalancing has nothing to do with static routes or default gateways from the systems routingtable. Do you test from behind the pfSense? the ppfSense itself can't utilize loadbalancing/policybasedrouting. Only connections running through the pfSense can be balanced.
I've tested from a computer using the pfSense box itself as well as straight from the pfSense console. Are you saying, however, that pfSense itself will only use the WAN link (assuming that the default gateway is setup for it)?
Also, how can I examine the rules that pf is using? I haven't ran a BSD since OpenBSD 2.6, and in those days I just remember checking the pf.conf (or was it ipf back then?) to see the rules laid out in the flat file – and it seems pfSense doesn't load/save its rules via that file.
-
The file that gets loaded into pf is located at /tmp/rules.debug. You can view it either at diagnostics>edit file or by downloading it via diagnostics>command.